Docs / Tailscale private access

Tailscale private access stays separate from public dev links.

Tailscale is a first-class access mode for teams that want private shell or runtime routes. It can run beside Auth0 login and signed dev links, or a workspace can be Tailscale-only when public dev link access should stay closed.

private accessorganization scoped

tailnet: acme.ts.net

shell: tagged envforge-shell

runtime: tagged envforge-runtime

public dev gateway: optional

signed dev links: app surface only

Access modes

Private access chooses the surface before the host.

The product setting should say whether the team is opening shell access, runtime access, or a fully private workspace. Users should not need raw VM names, IP addresses, or unmanaged SSH hostnames.

Shell accessprivate SSH surface

Developers and agents can reach the workspace shell through the customer tailnet when the organization enables private shell access.

Runtime accessprivate service surface

Runtime services can join the same tailnet for private app, API, database proxy, cache, or worker debugging without turning those routes public.

Tailscale-only workspacepublic gateway disabled

A workspace can keep public dev link access off while still allowing approved tailnet users to reach shell and runtime surfaces.

Provisioning

Tailscale joins are automated, scoped, and cleaned up.

EnvForge should own the lifecycle instead of asking every workspace to paste an auth key into a shell. The organization connects once, then shell and runtime VMs join with tags that policy can understand.

  1. OAuth client

    An organization admin connects a scoped Tailscale OAuth client for automated device provisioning.

  2. SSM SecureString

    EnvForge stores the OAuth client secret as an organization-scoped SecureString and does not copy it into workspace repos.

  3. Tagged devices

    Shell and runtime VMs join the tailnet with organization and workspace tags so policy can distinguish shell, runtime, and dedicated hosts.

  4. Device cleanup

    When a host is replaced, a runtime is deprovisioned, or an organization disconnects Tailscale, EnvForge removes stale devices.

Policy boundary

Private network access does not widen public dev link access.

The public dev gateway can stay enabled for signed reviewer links while Tailscale covers private shell or runtime surfaces. Signed dev links still block SSH, logs, secrets, and runtime admin.

SurfaceAllowedBlocked
Auth0 and dashboard

Login, organization context, project role checks, signed link creation, billing, and admin settings.

Bypassing EnvForge product authorization just because a device is on the tailnet.

Signed dev links

Public reviewer access to web, same-origin /api, assets, WebSockets, and marketing routes.

SSH, logs, secrets, runtime admin, root policy, Mailpit, and private resource consoles.

Tailscale private access

Private shell and runtime routes for approved tailnet users and tagged EnvForge devices.

Expanding public dev link scope or replacing EnvForge role checks.